Fortiauthenticator Admin 12

Administration Guide
FortiAuthenticator 1.2
FortiAuthenticator Administration Guide

11 January 2012
23-120-144822-20120111
Copyright 2012 Fortinet, Inc. All rights reserved. Contents and terms are subject to
change by Fortinet without prior notice. Reproduction or transmission of this publication
is encouraged.
Trademarks
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Visit these links for more information and documentation for your Fortinet products:
Fortinet Knowledge Base - http://kb.fortinet.com
Technical Documentation - http://docs.fortinet.com
Training Services - http://campus.training.fortinet.com
Technical Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to
techdoc@fortinet.com.
Contents
Contents
Introduction
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Setup and System
Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FortiAuthenticator VM setup . . . . . . . . . . . . . . . . . .
System requirements . . . . . . . . . . . . . . . . . . .
FortiAuthenticator-VM image installation and initial setup
Administrative access - VM and hardware. . . . . . . . . . .
Web-based manager access . . . . . . . . . . . . . . .
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
10
10
10
11
11
11
Adding a FortiAuthenticator unit to your network . . . . . . . . . . . . . . . . . . .
11
System maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
.
.
.
.
.
.
.
Upgrading the firmware . . .

Backing up the configuration
Logging. . . . . . . . . . . .
Search button . . . . . .
Log entry order. . . . . .
Log Type Reference . . .
Exporting the log. . . . .
CLI commands . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
12
13
13
13
14
14
14
14
High Availability (HA) Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
Administrative access to the HA cluster . . . . . . . . . . . . . . . . . . . . . .
16
Configuring email relay servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
FortiAuthenticator settings. . . . . . . . . . . . . . . . . . . . . . . . . . .
FortiGate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
18
Authentication users and servers
19
What to configure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
One-factor or two-factor authentication

Authentication type. . . . . . . . . . .
RADIUS . . . . . . . . . . . . . .
Built-in LDAP. . . . . . . . . . . .
Remote LDAP . . . . . . . . . . .

23-120-144822-20120111
http://docs.fortinet.com/
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
20
20
20
20
21
Contents
Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Administrators . . . . . . . . . . . . . . . . . . . . .
User self-registration . . . . . . . . . . . . . . . . . .
Adding a user account . . . . . . . . . . . . . . . . .
Configuring two-factor authentication for a user .
Configuring the users password recovery options
Setting a password policy . . . . . . . . . . . . .
User groups . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
21
21
22
22
23
24
24
Adding FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
FortiAuthenticator and FortiTokens . . . . . . . . . . . . . . . . . . . . . . . .

Monitoring FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . .
FortiToken device maintenance . . . . . . . . . . . . . . . . . . . . . . . . . .
24
25
25
Adding FortiGate units as NAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
Configuring built-in LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
LDAP directory tree overview . . . . . . . . . . . . . .

Creating the LDAP directory tree . . . . . . . . . . . .
Editing the root node . . . . . . . . . . . . . . . .
Adding nodes to the LDAP hierarchy . . . . . . . .
Adding user accounts to the LDAP tree . . . . . . .
Moving LDAP branches in the directory tree . . . .
Removing entries from the directory tree . . . . . .
Configuring a FortiGate unit for FortiAuthenticator LDAP
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
27
28
28
29
29
30
30
30
Configuring Remote LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
Adding a remote LDAP server . . . . . . . . . . . . . . . . . . . . . . . . .

Adding Remote LDAP users . . . . . . . . . . . . . . . . . . . . . . . . . .
31
32
Monitoring users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
33
Fortinet Single Sign On (FSSO)

Communicating with FortiGate units . . .
Communicating with Domain Controllers
Monitoring FSSO units . . . . . . . . . .
Monitoring SSO users . . . . . . . .
Monitoring domain controllers . . . .
Monitoring FortiGate units . . . . . .
35
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
35
37
37
37
37
38
Certificate Management
39
Certificate Authorities (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
Certificates . . . . . . . . . . . . . . . . . . . . .
Certificate Revocation List (CRL) . . . . . . . . .
Locally created CRL . . . . . . . . . . . . . .
Configuring Online Certificate Status Protocol
21
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
39
41
42
42
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
Administration Guide for FortiAuthenticator 1.2

23-120-144822-20120111
Contents
Index

23-120-144822-20120111
45
Contents

23-120-144822-20120111
Introduction
Before you begin
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
This chapter contains the following topics:
Before you begin
How this guide is organized
Before you begin

Before you begin using this guide, please ensure that:
You have administrative access to the web-based manager and/or CLI.
The FortiAuthenticator unit is integrated into your network.
The operation mode has been configured.
The system time, DNS settings, administrator password, and network interfaces have
been configured.
Any third-party software or servers have been configured using their documentation.
While using the instructions in this guide, note that administrators are assumed to be
super_admin administrators unless otherwise specified. Some restrictions will apply to
other administrators.
How this guide is organized

This FortiAuthenticator Handbook chapter contains the following sections:
Setup and System describes initial setup for standalone and HA cluster
FortiAuthenticator configurations.
Authentication users and servers describes how to configure built-in and remote
authentication servers and manage user groups.
Fortinet Single Sign On (FSSO) describes how to use the FortiAuthenticator unit in a
single sign on (SSO) environment.
Certificate Management describes how to manage X.509 certificates and how to set up
the FortiAuthenticator unit to act as an Certificate Authority.
Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
FortiAuthenticator v3: Administration Guide

23-120-144822-20120111
Registering your Fortinet product
Introduction

23-120-144822-20120111
Setup and System
Setup and System

A FortiAuthenticator unit is an Authentication server that includes a RADIUS server and
an LDAP server. Authentication servers are an important part of an enterprise network,
providing access to protected network assets and tracking users activities to comply
with security policies.
A FortiAuthenticator unit is not a firewall; it requires a FortiGate unit to provide firewallrelated services. Multiple FortiGate units can use a single FortiAuthenticator unit for
Fortinet Single Sign On (FSSO) and other types of remote authentication, two-factor
authentication, and FortiToken device management. This centralizes authentication and
FortiToken maintenance.
FortiAuthenticator provides an easy-to-configure remote authentication option for
FortiGate users. Additionally, it can replace the FSSO Agent on a Windows AD network.
FortiAuthenticator is a server and should be isolated on a network interface separate
from other hosts to facilitate server-related firewall protection. Failure to protect the
FortiAuthenticator may result in compromised authentication databases.
Figure 1: FortiAuthenticator on a multiple FortiGate unit network
nit
ork
etw
te u
iGa
t
r
Fo
N
ent
Cli
Fo
rtiA
uth
ent
ica
tor
nit
te u
a
rtiG
Fo
ork
etw
N
ent
Cli
The following topics are included in this section:

Initial setup
Adding a FortiAuthenticator unit to your network
System maintenance
Troubleshooting

23-120-144822-20120111
Initial setup
Setup and System
Initial setup
For information about installing the FortiAuthenticator unit and accessing the CLI or webbased manager, refer to the Quick Start Guide provided with your unit. The following
section provides information about setting up the Virtual Machine (VM) version of the
product.
FortiAuthenticator VM setup
Before using FortiAuthenticator-VM, you need to install the VMware application to host
the FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM
assume you are familiar with VMware products and terminology.
System requirements
The minimum system requirements for a computer running the FortiAuthenticator VM
image include:
Installed latest version of VMware Player, Fusion, or Workstation
512 MB of RAM minimum
one virtual NICs minimum, to a maximum of four virtual NICs
minimum of 3 GB free space
FortiAuthenticator-VM image installation and initial setup

The following procedure describes setup on VMware Fusion.
To set up the FortiAuthenticator VM image
1 Download the VM image ZIP file to the local computer where VMware is installed.
2 Extract the files from the zip file into a folder.
3 In VMware Fusion, go to File > Open.
4 Navigate to the expanded VM image folder, select the FortiAuthenticator-VM.vmx file
and select Open.
VMware will install and start FortiAuthenticator-VM. This process can take a minute or
two to complete.
5 At the FortiAuthenticator login prompt, enter admin and press Enter.
6 At the password prompt, press Enter.
By default, there is no password.
7 At the CLI prompt enter the following commands:
set port1-ip 192.168.1.99/24
set default-gw 192.168.1.2
Substitute your own desired FortiAuthenticator IP address and default gateway.
You can now connect to the web-based manager at the address you set for port1-ip.
Administrative access - VM and hardware

Administrative access is enabled by default on port 1. Using the web-based manager,
you can enable administrative access on other ports if necessary.
Adding administrative access to an interface
1 Go to System > Network > Interfaces. Select the desired interface to edit.
10

23-120-144822-20120111
Setup and System
2 In Admin access, select the types of access to allow.

3 Select OK.
Web-based manager access

To use the web-based manager, point your browser to the port1 IP address, default
192.168.1.99. For example,
http://192.168.1.99
Enter admin as the User Name and leave the Password field blank.
For secure access, you can enter https instead of http in the URL.
Telnet
CLI access is available using telnet to the port1 interface IP address, default
192.168.1.99. Use the telnet -K option so that telnet does not attempt to log on using
your user ID. For example:
$ telnet -K 192.168.1.99
At the FortiAuthenticator login prompt, enter admin. When prompted for password, just
press Enter. By default there is no password. When you are finished, use the exit
command to end the telnet session.
SSH
SSH provides secure access to the CLI. Connect to the port1 interface IP address,
default 192.168.1.99. Specify the user name admin or SSH will attempt to log on with
your user name. For example:
$ ssh admin@192.168.1.99
At the password prompt, just press Enter. By default there is no password. When you are
finished, use the exit command to end the session.

Before the initial setup of FortiAuthenticator, there are some requirements for your
network. You must have:
You must have security policies that allow traffic between the client network and the
subnet of the FortiAuthenticator
You must ensure that the following ports are open in the security policies between the
FortiAuthenticator and NAS devices that will be authenticating: port 8000 (FSSO),
ports 389 and 636 (LDAP), and 1812 (RADIUS) in addition to management protocols
such as HTTP, HTTPS, telnet, SSH, Ping, and other protocols you may choose to
allow.
To initially setup FortiAuthenticator on your network
1 Log on to the web-based manager.
Use admin for the username. There is no password.
2 Go to System > Network > DNS. Enter your primary and secondary name servers.
3 Go to System > Dashboard > Status.
4 In System Information, and select Change in the System Time field.
5 Select your time zone from the list.

23-120-144822-20120111
11
System maintenance
Setup and System
6 Either enable NTP or set the date/time manually.

Enter a new time and date by either typing it manually, selecting Today or Now, or
select the calendar or clock icons for a more visual method of setting the date and
time.
If you will be using FortiToken devices, Fortinet strongly recommends using NTP
FortiToken authentication codes require an accurate system clock.
7 Select OK.
8 If the FortiAuthenticator is connected to additional subnets, configure additional
FortiAuthenticator interfaces as required.
Go to System > Network > Interfaces to set the IP address and subnet mask for
each interface.
Go to System > Network > Default Gateway to set the gateway for each interface
as required.
System maintenance
System maintenance tasks are limited to changing the firmware, and backing up or
restoring the configuration file.
This section includes:
Upgrading the firmware
Logging
CLI commands
Upgrading the firmware

Periodically, Fortinet issues firmware upgrades that fix known issues, add new features
and functionality, and generally improve your FortiAuthenticator experience.
To upgrade the firmware, you must first register your FortiAuthenticator with Fortinet. See
Registering your Fortinet product on page 7.
To upgrade FortiAuthenticator firmware
1 Download the latest firmware to your local computer from the Fortinet Technical
Support web site, https://support.fortinet.com.
2 On FortiAuthenticator, go to System > Maintenance > Firmware.
3 Select Browse, and locate the new firmware image on your local computer.
4 Select OK.
When you select OK, the new firmware image will upload from your local computer to the
FortiAuthenticator, which will then reboot. You will experience a short period of time
during this reboot when the FortiAuthenticator is offline and unavailable for
authentication.
12

23-120-144822-20120111
Setup and System
System maintenance

You can back up the configuration of the FortiAuthenticator to your local computer. The
backup file is encrypted to prevent tampering. This configuration file backup includes
both the CLI and web-based manager configuration of the FortiAuthenticator. The
backed up information includes users, user groups, FortiToken device list, NAS device
list, LDAP directory tree, FSSO settings, remote LDAP, and certificates.
To back up your configuration
1 Go to System > Maintenance > Config.
2 Under Backup, select the Click here link and save the file on your computer.
To restore your configuration
1 Go to System > Maintenance > Config.
2 Browse to the location of the backup file on your computer, and select Restore.
You will be prompted to confirm the restore action.
3 Select OK.
The FortiAuthenticator unit will reboot.
When you restore the configuration from a backup file, any information changed since
the backup will be lost. Any active sessions will be ended and must be restarted. You
will have to log back in when the system reboots.
Logging
Accounting is an important part of FortiAuthenticator as with any authentication server.
Logging provides a record of the events that have taken place on the FortiAuthenticator.
To access logs, go to Logging > Log Access > Logs. The Logs page has controls to help
you search your logs for the information you need. This includes:
Search button
Log entry order
Log Type Reference
Search button
You can enter a string to search for in the log entries. The string must appear in the
Message portion of the log entry to result in a match for the search. To prevent each term
in a phrase from being matched separately, multiple keywords must be in quotes and be
an exact match.
After the search is complete next to the Search button the number of positive matches
will be displayed, with the total number of log entries in brackets following. Select the
total number of log entries to return to the full list. Subsequent searches will search all log
entries and not just the previous searchs matches.

23-120-144822-20120111
13
System maintenance
Setup and System
Log entry order

You can change the order used to display the log entries. To sort the log entries by a
particular column, such as Timestamp, select the title for that column. The log entries will
now be displayed based on data in that column in ascending order. Ascending or
descending is displayed with an arrow next to the column title up arrow for ascending,
and down arrow for descending.
Log Type Reference

There are Admin Configuration, Authentication, System, and User Portal events. Each of
these have multiple log message types for each major event. To see the various types of
log messages, go to Logging > Log Access > Logs and select Log Type Reference.
On this page, you can search for the exact text of a specific log message. The search will
return any matches in any columns.
Exporting the log

You can select Download Raw Log to export the FortiAuthenticator log as a text file
named fac.log.
CLI commands
The FortiAuthenticator has CLI commands that are accessed using the console, SSH, or
Telnet. Their purpose is to initially configure the unit, perform a factory reset, or reset the
values if the web-based manager is not accessible for some reason.
help
Display list of valid CLI commands. You can also

enter ? for help.
set port1-ip
<addr_ipv4mask>
Enter the IPv4 address and netmask for the port1

interface. Netmask is expected in the /xx format,
for example 192.168.0.1/24.
Once this port is configured, you can use the
web-based manager to configure the remaining
ports.
14
set default-gw <addr_ipv4>
Enter the IPv4 address of the default gateway for

this interface. This is the default route for this
interface.
set date <YYYY-MM-DD>
Enter the current date. Valid format is four digit

year, 2 digit month, and 2 digit day. For example
set date 2011-08-12 sets the date to August 12th,
2011.
set time <HH:MM:SS>
Enter the current time. Valid format is two digits

each for hours, minutes, and seconds. 24-hour
clock is used. For example 15:10:00 is 3:10pm.
set tz <timezone_index>
Enter the current time zone using the time zone

index. To see a list of index numbers and their
corresponding time zones, enter set tz ? .
unset <setting>
Restore default value. For each set command

listed above, there is an unset command, for
example unset port1-ip.

23-120-144822-20120111
Setup and System
High Availability (HA) Operation
show
Display current settings of port1 IP, netmask,

default gateway, and time zone.
exit
Terminate the CLI session.
reboot
Perform a hard restart the FortiAuthenticator unit.

All sessions will be terminated. The unit will go
offline and there will be a delay while it restarts.
factory-reset
Enter this command to reset the

FortiAuthenticator settings to factory default
settings. This includes clearing the user database.
This procedure deletes all changes that you have
made to the FortiAuthenticator configuration and
reverts the system to its original configuration,
including resetting interface addresses.
shutdown
Turn off the FortiAuthenticator.
status
Display basic system status information including

firmware version, build number, serial number of
the unit, and system time.
High Availability (HA) Operation

Two FortiAuthenticator units can operate as a cluster to provide even higher reliability.
One unit is active and the other is on standby. If the active unit fails, the standby unit
becomes active. The cluster is configured as a single authentication server on your
FortiGate units.
Authentication requests made during a failover from one unit to another are lost, but
subsequent requests complete normally. The failover process takes about 30 seconds.
To configure FortiAuthenticator HA
1 On each unit, go to System > Maintenance > High Availability and enter:
Enable HA
Enable
Interface
Select a network interface to use for communication between

the two cluster members. This interface must not already have
an IP address assigned and it cannot be used for
authentication services.
Cluster member
IP address
Enter the IP address this unit uses for HA-related

communication with the other FortiAuthenticator unit. The two
units must have different addresses. Usually, you should
assign addresses on the same private subnet.
Admin access
Select the types of administrative access to allow.
Priority
Set to Low on one unit and High on the other. Normally, the
unit with High priority is the master unit.
Password
Enter a string to be used as a shared key for IPsec encryption.

This must be the same on both units.

23-120-144822-20120111
15
Configuring email relay servers
Setup and System
2 When one unit has become the master, connect to the web-based manager again and
complete your configuration. You are configuring the Master unit. The configuration
will automatically be copied to the slave unit.
Refer to the other chapters of this manual for more information. Configuring the
cluster is the same as configuring a single FortiAuthenticator unit.
Administrative access to the HA cluster

Administrative access is available through any of the network interfaces using their
assigned IP addresses or through the HA interface using the Cluster member IP address,
assigned on the System > Maintenance > High Availability page. In all cases,
administrative access is available only if it is enabled on the interface.
Administrative access through any of the network interface IP addresses connects only
to the master unit. The only administrative access to the slave unit is through the HA
interface using the slave units Cluster member IP address.
Configuration changes made on the master unit are automatically pushed to the slave
unit. The slave unit does not permit configuration changes, but you might want to access
the unit to change HA settings or for firmware upgrade, shutdown, reboot, or
troubleshooting.
Configuring email relay servers

The FortiAuthenticator unit sends email for several purposes, such as password reset
requests, new user approvals, user self-registration, and two-factor authentication. By
default, the FortiAuthenticator unit uses its built-in SMTP server. For situations where
direct SMTP access is not possible, the unit can be configured to use an external mail
relay.
To add an external SMTP server
1 Go to System > E-mails > SMTP Servers and select Create New.
2 Enter the following:
16
Name
Enter a name to identify this mail server on the

FortiAuthenticator unit.
Server Name/IP
Enter the IP address or FQDN of the mail server.
Sender e-mail address
Enter the email address to put in the From field on email

messages from the FortiAuthenticator unit.
Secure connection
For a secure connection to the mail server, select

STARTTLS and select the CA certificate that validates the
servers certificate. For information about importing the
CA certificate, see To import a CA certificate on
page 41.
Enable authentication
Select if the email server requires you to authenticate

when sending email. Enter the Account username and
Password.

23-120-144822-20120111
Setup and System
Troubleshooting
3 Optionally, select Test Connection to send a test email message. Specify a recipient
and select Send. Confirm that the recipient received the message.
The recipients email system might treat the test email message as spam.
4 Select OK.
To set the default email server
1 Go to System > E-mails > SMTP Servers.
2 Select the check box of the server that you want to make the default.
3 Select Set as Default.
Troubleshooting
Troubleshooting includes useful tips and commands to help deal with issues that may
occur. For additional help, always contact customer support.
If you have issues when attempting authentication on FortiGate using the
FortiAuthenticator, there are some FortiAuthenticator settings and FortiGate settings to
check.
In addition to these settings you can use log entries, monitors, and debugging
information to determine more information about your authentication problems. For help
with FortiAuthenticator logging, see Logging on page 13. For help with FortiGate
troubleshooting, see the FortiOS Handbook Troubleshooting and User Authentication
guides.
FortiAuthenticator settings
When checking FortiAuthenticator settings, you should ensure
there is a NAS entry for the FortiGate unit. See Adding FortiGate units as NAS on
page 25,
the user trying to authenticate has a valid active account that is not disabled, and that
the username and password are spelled as expected,
the user account allows RADIUS authentication if RADIUS is enabled on the FortiGate
unit,
the FortiGate unit can communicate with the FortiAuthenticator unit,
the user account exists
as a local user on the FortiAuthenticator if using (RADIUS authentication),
in the local LDAP directory (if using local LDAP authentication),
in the remote LDAP directory (if using RADIUS authentication with remote LDAP
password validation).
the user is a member in the expected user groups and these user groups are allowed
to communicate on the NAS (FortiGate unit, for example),
If authentication fails with the log error bad password try resetting the password. If
this fails, verify that the pre-shared secret is identical on both FortiAuthenticator and
the NAS.

23-120-144822-20120111
17
Troubleshooting
Setup and System
FortiGate settings
When checking FortiGate authentication settings, you should ensure
the user has membership in the required user groups, and identity-based security
policies,
there is a valid entry for the FortiAuthenticator as a remote RADIUS or LDAP server,
the user is configured explicitly or as a wildcard user.
18

23-120-144822-20120111
What to configure

FortiAuthenticator provides an easy-to-configure authentication server for your users.
Multiple FortiGate units can use a single FortiAuthenticator unit for remote authentication
and FortiToken device management.
Figure 2: FortiAuthenticator on a multiple FortiGate unit network
nit
ork
etw
te u
iGa
t
r
Fo
N
ent
Cli
Fo
rtiA
uth
ent
ica
tor
nit
te u
a
rtiG
Fo
ork
etw
N
ent
Cli
The following topics are included in this section:

What to configure
Adding Users
Adding FortiToken devices
Adding FortiGate units as NAS
Configuring built-in LDAP
Configuring Remote LDAP
Monitoring users
What to configure
You need to decide which elements of FortiAuthenticator configuration you need.
Determine whether you want two-factor authentication and what form that will take.
Determine the type of authentication you will use: RADIUS, built-in LDAP, or Remote
LDAP. You will need to use at least one of these types.
Determine which FortiGate units will use the FortiAuthenticator unit. The
FortiAuthenticator unit must be configured on each FortiGate unit as an authentication
server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit must
be configured on the FortiAuthenticator unit as a NAS.

23-120-144822-20120111
19
What to configure
One-factor or two-factor authentication

The standard logon requires the user to know the password. This is one-factor
authentication. Two-factor authentication adds the requirement for another piece of
information for logon. Generally the two factors are something you know (password) and
something you have (certificate, token). This increases the difficulty for an unauthorized
person to impersonate a legitimate user.
Two-factor authentication does not work with FortiOS explicit proxies.
The FortiAuthenticator unit has multiple ways of providing the second factor
something you know to the user. Digial certificates are covered in a later chapter. The
other methods rely on a six-digit PIN which changes regularly and is known only to the
FortiAuthenticator unit and the user. This PIN can be delivered to the user in multiple
ways:
a FortiToken device registered with the FortiAuthenticator and the users account
an email account specified in the user account
a cell phone number with SMS service specified in the user account
Authentication type
The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the
use of external LDAP, which can include Windows AD servers.
The built-in servers are best used where there is no existing authentication infrastructure.
You build a user account database on the FortiAuthenticator unit. The database can
include additional user information such as street address and phone numbers that
cannot be stored in a FortiGate units user authentication database. You can use either
LDAP or RADIUS protocol.
The external server options are intended to integrate FortiGate authentication into
networks that already have an authentication infrastructure. The Fortinet Single Sign-On
(FSSO) option works on Microsoft Windows networks, enabling users already
authenticated by a Windows AD server to access network resources. The Remote LDAP
option adds your FortiGate units to an existing LDAP structure. Optionally, you can add
two-factor authentication to Remote LDAP.
RADIUS
If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must
be registered as NAS in Authentication > NAS. See Adding FortiGate units as NAS on
page 25. On each FortiGate unit that will use RADIUS protocol, the FortiAuthenticator
unit must be configured as a RADIUS server in User > Remote > RADIUS.
Built-in LDAP
If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users
from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the
LDAP directory tree on page 28. On each FortiGate unit that will use LDAP protocol, the
FortiAuthenticator unit must be configured as an LDAP server in User > Remote > LDAP.
20

23-120-144822-20120111
Adding Users
Remote LDAP
Remote LDAP must be enabled in each user account. FortiGate units must be registered
as NAS in Authentication > NAS. See Adding FortiGate units as NAS on page 25.
FortiGate units must communicate with the FortiAuthenticator unit using RADIUS
protocol, with the FortiAuthenticator unit entered as a RADIUS server in User > Remote >
RADIUS.
User accounts that use two-factor authentication must be imported into the
FortiAuthenticator database. You can do this in the server configuration in Authentication
Users > Remote.
Adding Users
FortiAuthenticators user database is similar to the local users database on FortiGate
units, but it has the added benefit of being able to associate additional information with
each user, as you would expect of RADIUS and LDAP servers. This information includes:
whether the user is an administrator, uses RADIUS authentication, uses two-factor
authentication, and personal information such as full name, address, password recovery
options, and of course which groups the user belongs to.
The RADIUS server on FortiAuthenticator is configured using default settings. For a user
to authenticate using RADIUS, the option Allow RADIUS Authentication must be selected
for that users entry, and the authenticating client must be added to the NAS list. See
Adding FortiGate units as NAS on page 25.
Administrators
Administrator accounts on FortiAuthenticator are standard user accounts that are flagged
as administrators.
Once flagged as an administrator, a user accounts administrator privileges can be set to
either full access or customized to select their administrator rights for different parts of
FortiAuthenticator. There are log events for administrator configuration activities.
Administrators can also be configured to authenticate to the local system using twofactor authentication.
User self-registration
Optionally, you can enable users to request registration through the FortiAuthenticator
web page. The administrator will receive the request as an email message.
To enable self-registration
1 Go to Authentication > General > Settings.
2 Under User Self-registration, select Enable and enter the Admins e-mail address.
3 Select OK.
How the user requests registration
1 Browse to the IP address of the FortiAuthenticator unit.
Security policies must be in place on the FortiGate unit to allow these sessions to be
established.
2 Select Register.
The User Registration page opens.
3 Fill in the required fields. Optionally, fill in the Additional Information fields. Select OK.

23-120-144822-20120111
21
Adding Users
To approve a self-registration request

1 Select the link in the Approval Required for ... email message.
The New User Approval page opens in the web browser.
2 Review the information and select either Approve or Deny, as appropriate.
If the request is approved, the FortiAuthenticator unit sends the user an email
message stating that the account has been activated.
Adding a user account

When creating a user account, there are two ways to handle the password:
The administrator assigns a password immediately and communicate it to the user.
The FortiAuthenticator unit creates a random password and emails it to the user.
1 Go to Authentication > Users > Local and select Create New.
2 Enter the Username.
3 Do one of the following:
In Password creation, select Specify a password. Enter the Password and then
enter it again in Password confirmation. Select OK.
or
In Password creation, select Set and e-mail a random password. Enter the
E-mail address for this user and then enter it again in Confirm email address. Select
OK. The email address supplied in this step is not retained in the database.
4 Edit the new user account to select authentication options or to enter more detailed
information about the user.
Configuring two-factor authentication for a user

Edit the users account entry to configure two-factor authentication. If the authentication
code will be provided through email or SMS, add the email address or mobile information
to the User Information section first. If a FortiToken device will be used, enter the
FortiToken device in Authentication > FortiTokens first.
To configure an account for two-factor authentication
1 Go to Authentication > Users > Local.
2 Select and edit the chosen user.
3 Select Two-factor authentication.
Select FortiToken and then select the FortiToken device serial number from the list.
Select Email and enter the users email address.
Select SMS and enter the users mobile information.
5 Select OK.
By default, two factor authentication must be completed within 60 seconds after the
authentication code is sent by email or SMS. To change this timeout, go to
Authentication > General > Settings and modify Email/SMS Token Timeout.
22

23-120-144822-20120111
Adding Users
Configuring the users password recovery options

To replace a lost or forgotten password, the FortiAuthenticator unit can send the user a
password recovery link by email or in the browser in response to a pre-arranged security
question. The user then sets a new password.
To configure password recovery by security question
3 Expand Password Recovery options.
4 Select Security Question, and select Edit.
5 Choose one of the questions in the list. If you choose to write your own question, a
custom question field will be displayed where you can enter your question.
6 Enter the answer for your question.
7 Select OK.
To configure password recovery by email
3 Expand User Information, and then enter the users E-mail address.
4 Expand Password Recovery Options.
5 Select Email.
6 Optionally, select Manage alternative emails and enter up to three additional email
addresses for this user.
In the event of password recovery, an email message is sent to all configured email
addresses both the user information email address and the alternative email
addresses.
7 Select OK.
How the user recovers from a lost password
1 Browse to the IP address of the FortiAuthenticator.
Security policies must be in place on the FortiGate unit to allow these sessions to be
established.
2 Select Forgot my password.
3 Select either Username or Email as your method of identification.
4 Enter either your username or email address as selected in the previous step, and
then select Next.
This information is used to select the user account. If your information does not match
a user account, password recovery cannot be completed.
Select Send a secure link to your account email and select Next. Open the email
and select the password recovery link.
Select Answer the provided security question and select Next. Enter the correct
answer to the question and select Next.
The recovery options available depend on the settings in the user account.

23-120-144822-20120111
23
6 On the Reset Password page, enter and confirm a new password and then select
Next.
The user can now authenticate using the new password.
Setting a password policy

You can require a minimum length and complexity for user passwords. Also you can
require users to change their passwords periodically.
To set password complexity requirements
2 Set Minimum length for passwords. The default is 8.
If you enter 0, there is no minimum length, but the password cannot be empty.
3 Optionally, select Check for password complexity. You can then enable requirements
for minimum numbers of upper-case letters, lower-case letters, numeric characters,
and special (non-alphanumeric) characters.
4 Select OK.
To set a password change policy
2 Set the Maximum password age. The default is 90 days.
3 Optionally, select Enforce password history and set the Number of passwords to
remember. New passwords must not match any of the remembered passwords.
For example, if three passwords are remembered, users cannot reuse any of their
three previous passwords.
User groups
You can assign users to user groups in Authentication > User Groups > Local. This is very
similar to the firewall user group feature on FortiGate units.

A FortiToken device is a disconnected one-time password (OTP) generator. It is a small
physical device with a button that when pressed displays a six digit authentication code.
This code is entered with a users username and password as two-factor authentication.
The code displayed changes every 60 seconds. When not in use, the LCD screen is shut
down to extend the battery life.
The device has a small hole in one end. This is intended for a lanyard to be inserted so
the device can be worn around the neck, or easily stored with other electronic devices.
Do not put the FortiToken on a key ring as the metal ring and other metal objects can
damage it. The FortiToken is an electronic device like a cell phone and should be treated
with similar care.
FortiAuthenticator and FortiTokens

With FortiOS, FortiToken serial numbers must be entered to the FortiGate unit, which
then contacts FortiGuard servers to verify the information before activating them.
24

23-120-144822-20120111
FortiAuthenticator acts as a repository for all FortiToken devices used on your network
it is a single point of registration and synchronization for easier installation and
maintenance.
To add FortiToken devices
1 Go to Authentication > FortiTokens > FortiTokens.
Select Create New and enter the FortiToken device serial number. If there are multiple
numbers to enter, select the + icon to switch to a resizable multiple-line entry box.
Select Import to load a file containing the list of serial numbers for the tokens.
(FortiToken devices have a barcode on them that can help you read serial numbers to
create the import file.)
3 Select OK.
To register FortiToken devices, you must have a valid FortiGuard connection. Otherwise
any FortiToken devices you enter will remain at Inactive status.
Monitoring FortiToken devices

To monitor the total number of FortiToken devices registered on the FortiAuthenticator
unit, as well as the number of disabled FortiTokens, go to System > Dashboard > Status
and view the User Inventory widget.
You can also view the list of FortiTokens, their status, if their clocks are drifting, and which
user they are assigned to by going to Authentication > FortiTokens > FortiTokens.
FortiToken device maintenance

Go to Authentication > FortiTokens > FortiTokens and select Edit for the device. Do any of
the following:
Disable a device when it is reported lost or stolen.
Re-enable a device when it is recovered.
Synchronize the FortiAuthenticator and the FortiToken device when the device clock
has drifted. Synchronizing ensures that the device provides the token code that the
FortiGate unit expects, as the codes are time-based. Fortinet recommends
synchronizing all new FortiTokens.
Select History to view all commands applied to this FortiToken.

A NAS is a network access server (NAS) that can authenticate using the
FortiAuthenticator unit. A FortiGate unit is an example of a NAS. A NAS is a gateway that
protects parts of the network, and requires authentication to gain access to what it
protects. A NAS is commonly used with Authentication, Authorization, and Accounting
(AAA) servers. Every device that will use the FortiAuthenticator unit for authentication
must have a NAS entry.
Every time there is a change to the list of NAS entries two log messages are generated
one for the NAS change, and one to state that the RADIUS server was restarted to apply
the NAS change.

23-120-144822-20120111
25
When a user is configured on FortiAuthenticator, there is an option to authenticate the

user using the RADIUS database. There is a RADIUS server already configured and
running on the FortiAuthenticator server. It is set up using default values. For a computer
or other external device to access the RADIUS server on the FortiAuthenticator, that
device must have a NAS entry.
FortiAuthenticator allows both RADIUS and remote LDAP authentication for NAS entries.
If you want to use a remote LDAP server, you must configure it first so that you can be
select it in the NAS configuration. You can configure the built-in LDAP server before or
after creating NAS entries.
To configure a NAS
1 Go to Authentication > NAS > NAS.
2 Select Create New and enter the following information:
Name
A name to identify the NAS device on the FortiAuthenticator unit.
NAS name/IP
The FQDN or IP address of the NAS unit.
Description
Optional information about the NAS.
3 If RADIUS or Remote LDAP authentication will be used, select NAS is a RADIUS client
and enter the following information:
Secret
The RADIUS passphrase that the FortiGate unit will

use.
Select one of the following:
Two-factor
Authentication
Mandatory all users subject to two-factor

authentication
Optional depends on setting in user account
None all users authenticated only by password
Select if Remote LDAP authentication will be used.

Validate passwords using Select the configured Remote LDAP server from the
an external LDAP server list. If the server is not listed, create it. See Configuring
Remote LDAP on page 31.
Authenticate:
Limits who can authenticate.
All local users
No limit.
Users from selected

local groups only
Authenticate only members of specific

FortiAuthenticator user groups. Add the required user
groups to the Selected local groups list.
Users using a remote Authenticate only users of the selected Remote LDAP
LDAP server
server.
Use Radius accounting
records received from
this NAS as a source of
FSSO user activity
This is required only if you are using an external

RADIUS server to notify the FortiAuthenticator unit of
logon events for use by FSSO. Otherwise, leave this
unselected.
This feature will be described in later documentation.
4 If FSSO will be used, select NAS is an FSSO client.

Refer to the Fortinet Single Sign On (FSSO) chapter for information about
configuring authentication with FSSO.
5 Select OK.
26

23-120-144822-20120111

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords,
email addresses, and printers. LDAP consists of a data-representation scheme, a set of
defined operations, and a request/response network.
In the LDAP protocol there are a number of operations a client can request such as
search, compare, and add or delete an entry. Binding is the operation where the LDAP
server authenticates the user. If the user is successfully authenticated, binding allows the
user access to the LDAP server based on that users permissions.
LDAP directory tree overview
Creating the LDAP directory tree
Removing entries from the directory tree
LDAP directory tree overview

The LDAP tree defines the hierarchical organization of user account entries in the LDAP
database. The FortiGate unit requesting authentication must then be configured to
address its request to the right part of the hierarchy.
Often an LDAP servers hierarchy reflects the hierarchy of the organization it serves. The
root represents the organization itself, usually defined as Domain Component (DC), a
DNS domain, such as example.com. (As the name contains a dot, it is written as two
parts separated by a comma: dc=example,dc=com.) Additional levels of hierarchy can
be added as needed. These include:
c (country)
ou (organizational unit, such as a division)
o (organization, such as a department)
The user account entries relevant to user authentication will have element names such as
UID (user ID) or CN (common name, the users name). They can each be placed at their
appropriate place in the hierarchy.
Complex LDAP hierarchies are more common in large organizations where users in
different locations and departments have different access rights. For basic authenticated
access to your office network or the Internet, a much simpler LDAP hierarchy is
adequate.
The following is a simple example of an LDAP hierarchy in which the all user account
((CN) entries reside at the Organization Unit (OU) level, just below DC.

23-120-144822-20120111
27
Figure 3: LDAP object directory
When requesting authentication, an LDAP client, such as a FortiGate unit, must specify
the part of the hierarchy where the user account record can be found. This is called the
Distinguished Name (DN). In the example above, DN is
ou=People,dc=example,dc=com.
The authentication request must also specify the particular user account entry. Although
this is often called the Common Name (CN), the identifier you use is not necessarily CN.
On a computer network, it is appropriate to use UID, the persons user ID, as that is the
information that they will provide at logon.
Creating the LDAP directory tree

The following sections provide a brief explanation of each part of the LDAP attribute
directory, what is commonly used to represent, and how to configure it on
FortiAuthenticator.
When an object name includes a space, as in Test Users, you have to enclose
the text with double-quotes. For example:
cn="Test Users",cn=Builtin,dc=get,dc=local .
Editing the root node

The root node is the top level of the LDAP directory. There can be only one. All groups,
OUs, and users branch off from the root node. Choose the distinguished name (DN) that
makes sense for your organizations root node.
There are three common forms of DN entries.
The most common consists of one or more domain component (dc) elements making up
the DN. Each part of the domain has its own dc entry. This comes directly from the DNS
entry for the organization. For example.com, the dn entry is dc=example,dc=com.
Another popular method is to use the companys Internet presence as the DN. This
method uses the domain name as the DN. For example.com, the dn entry would be
o=example.com.
An older method is to use the company name with a country entry. For Example Inc.
operating in the United States, the DN would be o=Example, Inc.,c=US . This
makes less sense with international companies.
When you configure FortiGate units to use the FortiAuthenticator unit as an
LDAP server, you will specify the distinguished name that you created here. This
identifies the correct LDAP structure to reference.
28

23-120-144822-20120111
To rename the root node

1 Go to Authentication > LDAP > Directory Tree.
2 Double-click dc=example,dc=com to edit the entry.
3 In Distinguished Name (DN), enter a new name.
Example: dc=fortinet,dc=com.
4 Select OK.
If your domain name has multiple parts to it, such as
shiny.widgets.example.com, each part of the domain should be entered as part
of the DN: dc=shiny,dc=widgets,dc=example,dc=com, for example.
Adding nodes to the LDAP hierarchy

You can add a subordinate node at any level in the hierarchy as needed.
To add a node
2 Select the green + next to the DN entry where the node will be added.
3 In Class, select the identifier to use.
For example, to add the ou=People node from the earlier example, select
Organizational Unit (ou).
4 Select the [Please Select] dropdown and then select Create New. Enter the name of
the node, People for example, and select OK.
5 If needed, repeat steps 2 through 4 to add other nodes.
Adding user accounts to the LDAP tree

You must add user account entries at the appropriate place in the LDAP tree. These users
must already be defined in the FortiAuthenticator user database. See Adding a user
account on page 22.
To add a user account to the LDAP tree
2 Expand nodes as needed to find the required node, then select the nodes green +
symbol.
In the earlier example, you would do this on the ou=People node.
3 In Class, select User (uid).
In User (Uid), the list of available users is displayed. You can choose to display them
alphabetically by user group or by user.
4 Select users in the Available Users list and move them to the Chosen Users list.
5 Select OK.
You can verify your users were added by expanding the node to see their UIDs listed
below it.

23-120-144822-20120111
29
Moving LDAP branches in the directory tree

At times you may want to rearrange the hierarchy of the LDAP structure. For example a
department may be moved from one country to another.
While it is easy to move a branch in the LDAP tree, all systems that use this information
will need to be updated to the new structure or they will not be able to authenticate
users.
To move an LDAP branch
2 Select Expand All.
3 Select the branch to move by selecting it and holding down the mouse button.
4 Drag the branch to the location you want it, and release the mouse button. When it is
a valid location, an arrow will appear to the left of the current branch to indicate where
the new branch will be inserted it will be inserted below the entry with the arrow.
Removing entries from the directory tree

Adding entries to the directory tree involves placing the attribute at the proper place.
However, when removing entries it is possible to remove multiple branches at once.
Take care not to remove more branches than you intend. Remember that all systems
using this information will need to be updated to the new structure or they will not be
able to authenticate users.
To remove an entry from the LDAP directory
2 Select Expand All, and select the entry to remove.
3 Select the red X for the entry.
You will be prompted to confirm your deletion. Part of the prompt displays the
message of all the entries that will be removed with this deletion. Ensure this is the
level that you intend to delete.
4 Select Yes, Im sure.
If the deletion was successful there will be a green check next to the successful
message above the LDAP directory and the entry will be removed from the tree.
Configuring a FortiGate unit for FortiAuthenticator LDAP

When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate
units to access the FortiAuthenticator as an LDAP server and authenticate users.
To configure the FortiGate unit for LDAP authentication
1 On the FortiGate unit, go to User > Remote > LDAP and select Create New.
2 Enter the following information and select OK:
30
Name
Enter a name to identify the FortiAuthenticator LDAP

server on the FortiGate unit.
Server Name / IP
Enter the FQDN or IP address of the FortiAuthenticator

unit.

23-120-144822-20120111
Server Port
Leave at default (389).
Common Name Identifier Enter uid, the user ID.
Distinguished Name
Enter the LDAP node where the user account entries

can be found. For example,
ou=People,dc=example,dc=com
You can also use the Query button to explore the LDAP
tree and select the node.
The FortiGate unit can be configured to use one of
three types of binding:
anonymous - bind using anonymous user search
regular - bind using username/password and then
search
simple - bind using a simple password
authentication without a search
Bind Type
You can use simple authentication if the user records

all fall under one distinguished name (DN). If the users
are under more than one DN, use the anonymous or
regular type, which can search the entire LDAP
database for the required username.
If your LDAP server requires authentication to perform
searches, use the regular type and provide values for
username and password.
Secure Connection
If you select Secure Connection, you must select

LDAPS or STARTTLS protocol and the CA security
certificate that verifies the FortiAuthenticator units
identity.
3 Add the LDAP server to a user group. Specify that user group in identity-based
security policies where you require authentication.

If you already have an LDAP server or servers configured on your network,
FortiAuthenticator can connect to them for remote authentication much like FortiOS
remote authentication.
Adding a remote LDAP server

If your organization has existing LDAP servers, you may choose to continue using them
with FortiAuthenticator by configuring them as Remote LDAP servers.
When entering the Remote LDAP server information, if any information is missing or in the
wrong format, error messages will highlight the problem for you.
To create a new remote LDAP server entry
1 Go to Authentication > Remote > LDAP.
2 Select Create New.

23-120-144822-20120111
31
3 Enter the following information.

Name
Enter the name for the remote LDAP server on

FortiAuthenticator.
Server name/IP
Enter the IP address or FQDN for this remote server.
Common name
identifier
The identifier used for the top of the LDAP directory tree as it
applies to FortiAuthenticator users. This may be the top of the
tree, or only a smaller branch of it.
cn is the default, and is used by most LDAP servers.
Base distinguished
name
Enter the base distinguished name for the server using the
correct X.500 or LDAP format. The maximum length of the DN
is 512 characters.
You can also select the Browse button to view and select the
DN on the LDAP server.
The Bind Type determines how the authentication information
is sent to the server. Select the bind type required by the
remote LDAP server.
Bind Type
Simple bind using the users password which is sent to

the server in plaintext without a search.
Regular bind using the users DN and password and
then search
If the user records fall under one directory, you can use Simple
bind type. But Regular is required to allow a search for a user
across multiple domains.
4 If you want to have a secure connection between the FortiAuthenticator unit and the
remote LDAP server, select Enable under Secure Connection and enter the following:
Protocol
Select LDAPS or STARTLS as the LDAP server requires.
CA Certificate
Select the CA certificate that verifies the server certificate.
5 Select OK.
You can now add remote LDAP users.
Adding Remote LDAP users

Remote LDAP users do not have to be part of the FortiAuthenticator user database on
FortiAuthenticator, unless you want to apply two-factor authentication to them.
To add Remote LDAP users
1 Go to Authentication > Users > Remote and select Import.
2 Select the Remote LDAP Server to import from and select Import Users.
3 Optionally, enter a Filter string to reduce the number of entries returned, and then
select Apply.
For example, uid=j* returns only user IDs beginning with j.
4 Select the entries you want to import and then select OK.
To add two-factor authentication to a Remote LDAP user
1 Go to Authentication > Users > Remote.
32

23-120-144822-20120111
Monitoring users
3 Under Two-factor authentication, do one of the following:

Select FortiToken and then select the FortiToken device serial number from the list.
Select Email and enter the users email address.
Select SMS and enter the users mobile information.
4 Select OK.
A FortiToken device already allocated to a local account cannot be allocated to
an LDAP user as well it must be a different FortiToken device.
Monitoring users
There are two methods for monitoring or tracking users that are logged on on the
dashboard, and with the Users monitor.
Dashboard
On the dashboard there are two user related widgets.
The Authentication Activity widget is a graph that tracks the number of logons over time.
It can display all logons, failed only, successful logons only, or a combination of all three.
Multiple occurrences of this widget can be displayed on the dashboard, and configured
individually.
The User Inventory widget displays the total number of configured users, groups, and
FortiTokens. It also tracks the number of disabled users and FortiTokens.
Users monitor
To see the users monitor, go to Authentication > SSO Monitor > SSO Users.
The users monitor displays a list of currently logged on FSSO users and their information.

23-120-144822-20120111
33
Monitoring users
34

23-120-144822-20120111

FortiAuthenticator provides easy to configure remote authentication options for FortiGate
users, such as FSSO. Multiple FortiGate units can use a single FortiAuthenticator for
FSSO.
The Fortinet Single Sign On (FSSO) agent connects FortiGate Fortinet security
appliances your corporate authentication servers, such as Microsoft Active Directory and
Novell E-Directory, allowing security policies on the FortiGate unit to be based on user
information residing on the corporate authentication servers. FSSO, a component
installed on the authentication server or a standalone server, provides user authentication
information to the FortiGate unit so users can automatically gain access to the permitted
resources with a single sign on. Older versions were called Fortinet Server Authentication
Extension (FSAE).
FortiAuthenticator acts as the FSSO Agent, or Controller Agent. It can only be configured
in polling mode, not DCAgent mode.
Figure 4: FSSO topology with FortiAuthenticator
nit
ent
Cli
rk
two
Ne
u
ate
rtiG
Fo
Fo
rtiA
uth
nts
go
lo
ling
ent
ica
tor
eve
nit
te u
a
rtiG
po
Fo
ns
client logo
W
A in
Co D Do dows
ntr m
olle ain
rs
t
lien
rk
two
Ne

Communicating with FortiGate units
Monitoring FSSO units
Communicating with FortiGate units

In an FSSO topology, the FortiGate units provide the firewall which acts as the
authentication trigger. The FortiAuthenticator communicates logon information from the
domain controllers to the FortiGate units by polling the controllers. The FortiGate units
then authenticate the user and allow access to the network resources as requested.
The FortiAuthenticator is easier to configure than a third party server, contains both an
LDAP and RADIUS server, and performs additional functions when compared to the
normal FSSO Collector agent.
The following procedure assumes the FortiGate already has a NAS entry on the
FortiAuthenticator. See Adding FortiGate units as NAS on page 25.
23-120-144822-20120111
35
To configure FortiAuthenticator to communicate with FortiGate units

1 Go to Authentication > SSO > General.
2 Select Enable Authentication and configure:
Secret key
Set to fortinet123. This is the password

that will be used when configuring the FSSO
Agent on the FortiGate unit.
Log Level
Select one of Debug, Info, Warning, or Error as

the minimum severity level of event to log.
FortiGate listening port
Leave at 8000 unless your network requires

you to change this.
Ensure this port is allowed through the firewall.
The length of time users can remain logged in

User Login Expiry (in minutes) before the system logs them off automatically.
The default is 300 minutes (5 hours).
3 On the FortiGate unit, go to User > Remote > LDAP and select Create New.
4 Enter the following information, and select OK.
Name
Enter a unique name to identify the

FortiAuthenticator
Server Name/IP
Enter the FortiAuthenticator unit IP address.
Server port
Leave this at the default (389). FortiAuthenticator

uses default values for LDAP and RADIUS
servers.
Ensure port 389 is open on the firewall.
Common Name Identifier
Set this to match your LDAP directory tree. The

default identifier is cn.
This is the top level of your LDAP tree, or the
branch of your tree that will be authenticated
using this FortiGate unit.
Distinguished Name
Once you have entered a distinguished name,

use the browse button to ensure you have a
connection to the FortiAuthenticator. If not,
check your information.
Bind Type
Select the method that will be used to

authenticate using the LDAP server.
Secure Connection
Leave unchecked.
5 Go to User > Single Sign-On > FSSO Agent.

6 Enter the following information, and select OK.
36
Name
Enter a name to identify the FortiAuthenticator as

an FSSO.
FSSO Agent IP/Name
Enter the FortiAuthenticator unit IP address.

23-120-144822-20120111
Port
This entry must match the FortiGate Listening

Port in the FortiAuthenticator SSO configuration.
The default value is 8000. Ensure this port is open
on the firewall.
Password
This entry must match the Secret Key entered on

the FortiAuthenticator SSO configuration.
LDAP Server
Enable LDAP server, and select the

FortiAuthenticator LDAP server from the list.

As the FSSO Controller agent, FortiAuthenticator polls the Windows AD Domain
Controllers for logon event information. Each Domain Controller that will be polled must
be configured on the FortiAuthenticator.
You can disable a Domain Controller entry without removing its configuration. This is
useful when testing, troubleshooting, or moving controllers within your network.
To add a domain controller to FortiAuthenticator
1 Go to Authentication > SSO > Domain Controllers.
2 Select Create New, enter the following information, and then select OK.
NetBIOS Name
Enter the name of the Domain Controller as it appears in

NetBIOS.
Display Name
This is a unique name to easily identify this Domain Controller.
Network Address
Enter the network IPv4 address of this controller.
Account
Enter the account name used to access logon events. This

account should have administrator rights. To use a nonadministrator account, see the FSSOchapter of the FortiOS
Handbook User Authentication guide.
Password
Enter the password for the Account selected above.
3 Repeat step 2 for each Domain Controller FortiAuthenticator will be polling.
Monitoring FSSO units

FortiAuthenticator can monitor the units that make up FSSO. This is useful to ensure
there is a connection to the different components when troubleshooting.
Monitoring SSO users

For this, go to Authentication > SSO Monitor > SSO Users.
Monitoring domain controllers

When FSSO domain controllers are registered with the FortiAuthenticator unit, they are
displayed in the monitor upon a successful connection. For this, go to Authentication >
SSO Monitor > Domain Controllers.

23-120-144822-20120111
37
Monitoring FortiGate units

When a FortiGate unit is registered with the FortiAuthenticator unit, it is displayed in the
monitor upon a successful connection. For this, go to Authentication > SSO Monitor >
FortiGates.
38

23-120-144822-20120111
Certificate Authorities (CA)
This section describes how FortiAuthenticator allows you to manage certificates
including acting as a Certificate Authority.
FortiAuthenticator can act as a Certificate Authority (CA) for the creation and signing of
X.509 certificates such as server certificates for HTTPS and SSH, and client certificates
for HTTPS, SSL, and IPSEC VPN.
Any changes made to certificates generate log entries that can be viewed at Logging >
Log Access > Logs. See Logging on page 13.
This chapter includes:
Users

A certificate authority (CA) is used to sign other server and client certificates. The
authority comes from a well-known trusted authority trusting the CA. You must have a CA
certificate on your FortiAuthenticator before you can generate a user certificate.
Different CAs can be used for different domains or certificates. For example if your
organization is international you may have a CA for each country, or smaller organizations
might have a different CA for each department. The benefits of multiple CAs include
redundancy in case there are problems with one of the well-known trusted authorities,
Once you have created a CA certificate, you can export it to your local computer.
Certificates
Certificate Revocation List (CRL)
Certificates
Do not press Enter while entering the information until you have completed entering the
information, otherwise you will create the certificate with incomplete information.
Subject Alternative Names (SAN) allow you to protect multiple host names with a single
SSL certificate. SAN is part of the X.509 certificate standard. An example of where SANs
are used is to protect multiple domain names such as www.example.com and
www.example.net. This contrasts a wildcard certificate that can only protect all first-level
subdomains on one domain, such as *.example.com.
The certificate information including subject, issuer, status, and CA type are displayed on
the Certificate Management > Certificate Authorities > Certificates page.
If you have many certificates, you can use the search feature to find one or more specific
certificates. The search will return certificates that match either subject or issuer.
To create a CA certificate
1 Go to Certificate Management > Certificate Authorities > Certificates.

23-120-144822-20120111
39
3 Enter the following information and select OK.

Select one of the following types of CA certificates:
Root CA certificate a self-signed CA certificate
Certificate type
Intermediate CA certificate a CA certificate that

refers to a different root CA as the authority.
Intermediate CA certificate signing request (CSR)
The fields displayed change based on your certificate
type.
Certificate Authority
Select one of the available certificate authorities (CAs)

configured on the FortiAuthenticator from the drop-down
list.
This field is displayed only when Intermediate CA
certificate is selected.
Subject information
Subject input method
Subject DN
Select to enter either a Fully distinguished name (DN) or

Field-by-Field. Default value is Field-by-Field.
The fields displayed for subject information change based
on your subject input method.
Enter the full DN of the subject. For example c=CA,
o=Fortinet, cn=John Smith. Valid DN attributes are
C, ST, L, O, OU, CN, and emailAddress. They are casesensitive.
This field is only displayed when fully distinguished name
(DN) subject input method is selected.
Name (CN)
Company (O)
Department (OU)
City (L)
State/Province (ST)
Country (C)
Enter each value in the field provided.

These fields need to match the information user who will
be using the certificate the fields will be assembled into
a distinguished name for the certificate.
Select your country from the drop-down list. Each country
includes its two-letter code.
Subject Alternative Name

Email
User Principal Name

(UPN)
Enter the email address of a user to map to this certificate.

This field is not available if certificate type is CSR.
Enter the user principal name used to find the users
account in Microsoft Active Directory. This will map the
certificate to this specific user. The UPN is unique for the
Windows Server domain. This is a form of one-to-one
mapping.
40

23-120-144822-20120111
Additional Options
Select how long before this certificate expires.
Select either a set number of days and enter the total
number of days before this certificate expires (such as
3650 days for a life of 10 years), or set an expiry date by
entering the expiry date in YYYY-MM-DD format, selecting
Today, or use the Calendar icon to help you select a date.
Validity Period

Key Type
The key type is set to RSA.
Key Size
Select the key size as one of 1024, 2048, or 4096 Bits

long.
Hash Algorithm
Select the hash algorithm used as one of SHA-1 or SHA256.
To import a CA certificate
1 Go to Certificate Management > Certificate Authorities > Certificates.
2 Select Import.
Type
Select the type of CA certificate to import: PKCS12

Certificate or Certificate and Private Key.
Select the certificate file from your local computer to

PKCS12 certificate
upload to the FortiAuthenticator. This field is visible only if
file
PKCS12 type is selected.
Certificate file
Select the certificate file from your local computer to

you selected Certificate and Private Key type.
Private key file
Select the private key file from your local computer to

you selected Certificate and Private Key type.
Passphrase
Enter the passphrase associated with this certificate.
Serial number
radix
Select the radix of the serial number as either decimal or

hex.
Initial serial
number
Enter the starting serial number for the CA certificate.
Certificate Revocation List (CRL)

A Certificate Revocation List (CRL) is a file that contains a list of revoked certificates, their
serial numbers, and their revocation dates. A CRL file also contains the name of the
issuer of the CRL, the effective date, and the next update date. By default, the shortest
validity period of a CRL is one hour.
Some potential reasons for certificates to be revoked include:
a CA server was hacked and its certificates are no longer trustworthy,
a single certificate was compromised and is no longer trustworthy, or
in some cases when certificates expire they are added to the list to ensure they are
not used past their lifetime.
23-120-144822-20120111
41
To import a Certificate Revocation List (CRL)

1 Download the most recent CRL from a CRL Distribution Point (CDP). One or more
CDPs are usually listed in a certificate under the Details tab.
2 Go to Certificate Management > Certificate Authorities > CRL.
3 Select Import.
4 Select a CRL file from your local computer, and select OK.
When successful, the CRL will be displayed in the CRL list on the FortiAuthenticator. You
can select it to see the details.
Locally created CRL

When you import a CRL, it is from another authority. If you are creating your own CA
certificates, then you can also create your own CRL to go with them.
As a CA, you sign user certificates. If for any reason you need to revoke one of those
certificates, it will go on a local CRL. When this happens you need to export the CRL to
all your certificate users so they are aware of the revoked certificate.
To create a local CRL
1 Create a local CA certificate. See Certificate Authorities (CA) on page 39.
2 Create one or more user certificates. See Users on page 43.
3 Go to Certificate Management > Users > Certificates.
4 Select one or more certificates and select Revoke.
You will be prompted for the reason for the revocation as one of:
Unspecified
Key has been compromised
CA has been compromised
Changes in affiliation
Superseded
Operation ceased
On hold
Some of these reasons are security related (such as key or CA compromised) where
others are more business related change in affiliation could just be an employee
leaving the company, or operation ceased could be a project that was cancelled.
5 Select OK.
The certificates selected will be removed from the User Certificate list, and a CRL will be
created with those certificates as entries in the list.
If there is already a CRL for the CA that signed the user certificates, they will be added to
the current CRL.
If at a later date one or more CAs are deleted, their corresponding CRLs will be deleted
as well, along with any user certificates they signed.
Configuring Online Certificate Status Protocol

As well as manual CRL, FortiAuthenticator also supports Online Certificate Status
Protocol (OCSP), defined in RFC2560. To use OCSP, point the NAS at TCP port 2560 on
the FortiAuthenticator IP address.
42

23-120-144822-20120111
Users
For example, configuring OCSP in FortiGate CLI for a FortiAuthenticator with an IP

address of 172.20.120.16, looks like this
config vpn certificate ocsp
set cert "REMOTE_Cert_1"
set url "http://172.20.120.16:2560"
end
Users
User certificates are required for mutual authentication on many HTTPS, SSL, and IPSec
VPN network resources. You can create a user certificate on FortiAuthenticator or import
and sign a Certificate Signing Request (CSR). User certificates, client certificates, or local
computer certificates are the same type of certificate.
To create a user certificate
1 Go to Certificate Management > Users > Certificates.
The Certificate Authority used must be valid and current. If it is not you will have to
create or import a CA certificate before continuing. See Certificate Authorities (CA) on
page 39.
Certificate Signing Options
Certificate Authority
Select one of the available certificate authorities (CAs)

configured on the FortiAuthenticator from the drop-down list.
The CA must be current.
Subject information
Subject input
method
Select to enter either a Fully distinguished name (DN) or Fieldby-Field. Default value is Field-by-Field.
Subject DN
Enter the full DN of the subject. For example C=CA,

O=Fortinet, CN=John Smith. Valid DN attributes are C,
ST, L, O, OU, CN, and emailAddress. They are case-sensitive.
This field is only displayed when fully distinguished name (DN)
subject input method is selected.
Name (CN)
Company (O)
Department (OU)
City (L)
State/Province
(ST)
Country (C)

23-120-144822-20120111
Enter each value in the field provided.
Select your country from the drop-down list. Each country

includes its two-letter code.
43
Users
Subject Alternative Name

Email
Enter the email address of a user to map to this certificate.
User Principal
Name (UPN)
Enter the user principal name used to find the users account
in Microsoft Active Directory. This will map the certificate to
this specific user. The UPN is unique for the Windows Server
domain. This is a form of one-to-one mapping.
Additional Options
Select how long before this certificate expires.
Validity Period
Select either a set number of days and enter the total number
of days before this certificate expires (such as 3650 days for a
life of 10 years), or set an expiry date by entering the expiry
date in YYYY-MM-DD format, selecting Today, or use the
Calendar icon to help you select a date.
Key Type
The key type is set to RSA.
Key Size
Select the key size as one of 1024, 2048, or 4096 Bits long.
Hash Algorithm
Select the hash algorithm used as one of SHA-1 or SHA-256.
4 Confirm the certificate information is correct by selecting the certificate entry.

This will bring up the text of the certificate including the version, serial number, issuer,
subject, effective and expiration dates, and the extensions.
If any of this information is out of date or incorrect, you will not be able to use this
certificate.If this is the case, delete the certificate and re-enter the information.
5 Once the information is confirmed, you can export the certificate to the users
computer and import it into the proper application there, such as browser or
FortiClient.
44

23-120-144822-20120111
Index
Index
A
Authentication Activity widget, 33

Authentication, Authorization, and Accounting (AAA), 9, 25
LDAP servers
common name, 27
distinguished names, 28
domain component, 27
hierarchy, 27
Lightweight Directory Access Protocol (LDAP), 27
ports, 11
remote server, 26
Logging, 13
NAS, 26
C
certificate authority (CA), 39
Certificate Revocation List (CRL), 41
Certificate Signing Request (CSR), 43
common name, LDAP servers, 27
Controller Agent, 35
CRL Distribution Point (CDP), 42
D
dashboard
Authentication Activity widget, 33
User Inventory widget, 33
default password, 7
distinguished names
LDAP servers, 28
domain component, LDAP servers, 27
Domain Controllers, 37
E
explicit proxy, 20
F
firewall
open ports, 11
ports, 11
firmware updates, 7
FortiGuard, 25
FortiGuard Antivirus, 7
Fortinet Server Authentication Extension (FSAE), 35
Fortinet Single Sign On (FSSO), 35
Agent, 35
Domain Controllers, 37
ports, 11
FortiToken, 24
clock drift, 25
monitoring, 25
NTP, 12
registering, 25
synchronization, 25
M
Microsoft Active Directory, 40, 44
mode, operation, 7
monitor
users, 33
Monitoring, 33
N
network access server (NAS), 25
NTP, 12
O
one-time password (OTP), 24
Online Certificate Status Protocol (OCSP), 42
operation mode, 7
P
password
administrator, 7
ports, 11
product registration, 7
proxy, 20
R
RADIUS
NAS, 25
ports, 11
server, 21
remote LDAP, 26
Subject Alternative Names (SAN), 39
hierarchy
LDAP servers, 27
T
technical support, 7
troubleshooting, 17
two-factor authentication
FortiToken, 24

23-120-144822-20120111
http://docs.fortinet.com/ Feedback
45
Index
User Inventory widget, 33

User Principal Name (UPN), 40, 44
users, 21
monitor, 33
monitor, dashboard, 33
NAS, 21
RADIUS authentication, 21
Windows AD Domain Controllers, 37

Windows Server, 40, 44
46

23-120-144822-20120111

Fortiauthenticator Admin 12

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Fortiauthenticator Admin 12

Enviado por

Direitos autorais:

Formatos disponíveis

Administration Guide

FortiAuthenticator Administration Guide

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Setup and System

Adding a FortiAuthenticator unit to your network . . . . . . . . . . . . . . . . . . .

Upgrading the firmware . . .

High Availability (HA) Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Administrative access to the HA cluster . . . . . . . . . . . . . . . . . . . . . .

Configuring email relay servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Authentication users and servers

One-factor or two-factor authentication

FortiAuthenticator Administration Guide

Adding FortiToken devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

FortiAuthenticator and FortiTokens . . . . . . . . . . . . . . . . . . . . . . . .

Adding FortiGate units as NAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring built-in LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

LDAP directory tree overview . . . . . . . . . . . . . .

Configuring Remote LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Adding a remote LDAP server . . . . . . . . . . . . . . . . . . . . . . . . .

Fortinet Single Sign On (FSSO)

Certificate Authorities (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Administration Guide for FortiAuthenticator 1.2

FortiAuthenticator Administration Guide

Administration Guide for FortiAuthenticator 1.2

Before you begin

Before you begin

How this guide is organized

Registering your Fortinet product

FortiAuthenticator v3: Administration Guide

Registering your Fortinet product

Administration Guide for FortiAuthenticator 1.2

Setup and System

Setup and System

The following topics are included in this section:

FortiAuthenticator Administration Guide

Setup and System

FortiAuthenticator-VM image installation and initial setup

Administrative access - VM and hardware

Administration Guide for FortiAuthenticator 1.2

Setup and System

Adding a FortiAuthenticator unit to your network

2 In Admin access, select the types of access to allow.

Web-based manager access

Adding a FortiAuthenticator unit to your network

FortiAuthenticator Administration Guide

Setup and System

6 Either enable NTP or set the date/time manually.

Upgrading the firmware

Administration Guide for FortiAuthenticator 1.2

Setup and System

Backing up the configuration

FortiAuthenticator Administration Guide

Setup and System

Log entry order

Log Type Reference

Exporting the log

Display list of valid CLI commands. You can also

Enter the IPv4 address and netmask for the port1

set default-gw <addr_ipv4>

Enter the IPv4 address of the default gateway for

set date <YYYY-MM-DD>

Enter the current date. Valid format is four digit

set time <HH:MM:SS>

Enter the current time. Valid format is two digits